CISCO-3096 (032590-0001 1 8) 

Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the application: 

1. (Currently Amended) A method for controlling subscriber access in a network capable of 
establishing cormections with a plurality of domains, comprising: 

receiving, at an access server coupled to a first communication network and a second 
conmiunication network, a communication from a subscriber on said first 
communication network, said communication optionally including a domain identifier 
associated with a domain on said second communication network; and 

d e termining wh e ther said subscrib e r is authoriz e d to acc e ss said domain based upon said 
domain id e ntifi e r and a list of authoriz e d domains for a virtual circuit us e d to r e c e iv e 
said communication; and 

authorizing subscriber access to said domain on said second communication network upon 
determining wh e n said domain identifier is included in smd a list of authorized domains 
for a virtual circuit used to receive said communication, said authorizing responsive to 
said receiving . 

2. (Original) The method of claim 1, further comprising terminating said communication when 
said domain identifier is not included in said list. 

3. (Original) The method of claim 1 wherein said communication comprises a Point- to-Point 
Protocol (PPP) session. 
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4. (Original) The method of claim 3 wherein 
said PPP session comprises a tunneling session; 

said determining further comprises assigning a tunnel ID; and 
said PPP session is forwarded onto a tunnel associated with said tunnel ID when said 
subscriber is authorized to access said domain. 

5. (Original) The method of claim 4 wherein said tunneling session comprises an L2TP 
session. 

6. (Original) The method of claim 5 wherein said determining further comprises: 
issuing an authorized domain list request including a virtual circuit identifier; 
receiving an authorized domain list that includes authorized domains for said identifier; 
indicating said domain is unauthorized when said domain name is not in said domain list; 
indicating said domain is authorized when said domain name is in said domain list; 
issuing a tunnel ID request including said domain name when said domain name is 

authorized; and 
receiving a tunnel ID. 

7. (Original) The method of claim 6 wherein 

. said authorized domain list request is serviced by an AAA server; and 
an AAA server services said tunnel ED request. 
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8. (Original) The method of claim 6 wherein said virtual circuit identifier comprises a 
VPWCI identifier. 

9. (Original) The method of claim 5 wherein said determining further comprises: 

issuing a tunnel ID request including said domain name and a virtual circuit identifier; and 
receiving a tunnel E). 

10. (Original) The method of claim 9 wherein an AAA server services said tunnel ID request. 

1 1 . (Original) The method of claim 9 wherein said virtual circuit identifier comprises a 
VPWCI identifier. 

12. (Original) The method of claim 5 wherein said determining fiirther comprises: 
performing a table lookup based on a virtual circuit identifier to obtain an authorized domain 

list that includes authorized domains far said virtual circuit identifier; 
indicating said domain is unauthorized when said domain name is not in said authorized 
domain list; 

indicating said domain is authorized when said domain name is in said authorized domain 
list; and 

performing a table lookup based on said domain name to obtain a tunnel ID when said 
domain name is authorized. 
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13. (Original) The method of claim 12 wherein said virtual circuit identifier comprises a 
VPWCI identifier. 

14. (Currently Amended) A program storage device readable by a machine, embodying a 
program of instructions executable by the machine to perform a method to control subscriber 
access in a network capable of establishing connections with a plurality of domains, the 
method comprising: 

receiving, at an access server coupled to a first communication network and a second 
communication network, a communication from a subscriber on said first 
communication network, said communication optionally including a domain identifier 
associated with a domain on said second communication network; and 

d e t e rmining whether said subscrib e r is authoriz e d to acc e ss said domain bas e d upon said 
domain id e ntifi e r and a list of authoriz e d domains for a virtual circuit us e d to r e c e iv e 
said communication; and 

authorizing subscriber access to said domain on said second communication network upon 
determining wh e n said domain identifier is included in said a list of authorized domains 
for a virtual circuit used to receive said communication, said authorizing responsive to 
said receiving . 

15. (Original) The program storage device of claim 14, fiirther comprising terminating said 
communication when said' domain identifier is not included in said list. 
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16. (Original) The program storage device of claim 14 wherein said communication comprises a 
Point-to-Point Protocol (PPP) session. 

17. (Original) The program storage device of claim 16 wherein 
said PPP session comprises a tunneling session; 

said determining further comprises assigning a tunnel ID; and 
said PPP session is forwarded onto a tunnel associated with said tunnel ID when said 
subscriber is authorized to access said domain. 

18. (Original) The program storage device of claim 17 wherein said tunneling session comprises 
an L2TP session. 

19. (Original) The program storage device of claim 18 wherein said determining further 
comprises: 

issuing an authorized domain list request including a virtual circuit identifier; 
receiving an authorized domain list that includes authorized domains for said identifier; 
indicating said domain is unauthorized when said domain name is not in said domain list; 
indicating said domain is authorized when said domain name is in said domain list; 
issuing a tunnel ID request including said domain name when said domain name is 

authorized; and 
receiving a tunnel JD. 

20. (Original) The program storage device of claim 19 wherein 
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said authorized domain list request is serviced by an AAA server; and 
an AAA server services said tunnel ID request. 

21. (Original) The program storage device of claim 19 wherein said virtual circuit identifier 
comprises a VPWCI identifier. 

22. (Original) The program storage device of claim 18 wherein said determining fiirther 
comprises: 

issuing a tunnel ID request including said domain name and a virtual circuit identifier; and 
receiving a tunnel E). 

23. (Original) The program storage device of claim 22 wherein an AAA server services said 
tunnel ID request. 

24. (Original) The program storage device of claim 22 wherein said virtual circuit identifier 
comprises a VPWCI identifier. 

25. (Original) The program storage device of claim 18 wherein said determining fiirther 
comprises: 

performing a table lookup based on a virtual circuit identifier to obtain an authorized domain 
list that includes authorized domains for said virtual circuit identifier; 

indicating said domain is unauthorized when said domain name is not in said authorized 
domain list; 
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indicating said domain is authorized when said domain name is in said authorized domain 
hst; and 

perforaiing a table lookup based on said domain name to obtain a tunnel ID when said 
domain name is authorized. 



26. (Original) The program storage device of claim 25 wherein said virtual circuit identifier 
comprises a VP WCI identifier. 

27. (Currently Amended) An apparatus for controlling subscriber access in a network capable of 
establishing connections with a plurality of domains, the apparatus comprising: 

means for receiving, at an access server coupled to a first communication network and a 
second communication network, a communication from a subscriber on said first 
communication network, said communication optionally including a domain identifier 
associated with a domain on said second communication network; and 

m e ans for det e rmining wh e th e r said subscrib e r is authoriz e d to acc e ss said domain bas e d 
upon said domain id e ntifi e r and a list of authorized domains for a virtual circuit us e d to 
rec e iv e said communication; and 

means for authorizing subscriber access to said domain on said second commimication 
network upon determining wh e n said domain identifier is included in said a list of 
authorized domains for a virtual circuit used to receive said communication, said 
authorizing responsive to said receiving . 
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28. (Original) The apparatus of claim 27, further comprising means for terminating said 
communication when said domain identifier is not included in said list. 

29. (Original) The apparatus of claim 27 wherein said communication comprises a Point-to- 
Point Protocol (PPP) session. 

30. (Original) The apparatus of claim 29 wherein 
said PPP session comprises a tunneling session; 

said determining further comprises means for assigning a tunnel ID; and 
said PPP session is forwarded onto a tunnel associated with said tunnel E) when said 
subscriber is authorized to access said domain. 

31. (Original) The apparatus of claim 30 wherein said tunneling session comprises an L2TP 
session. 

32. (Previously Presented) The apparatus of claim 31 wherein said determining further 
comprises: 

means for issuing an authorized domain list request including a virtual circuit identifier; 
means for receiving an authorized domain list that includes authorized domains for said 
identifier; 

means for indicating said domain is unauthorized when said domain name is not in said 
domain list; 
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means for indicating said domain is authorized when said domain name is in said domain 
list; 

means for issuing a tunnel ID request including said domain name when said domain name 

is authorized; and 
means for receiving a tunnel ID. 

33. (Original) The apparatus of claim 32 wherein 

said authorized domain list request is serviced by an AAA server; and 
an AAA server services said tunnel ID request. 

34. (Original) The apparatus of claim 32 wherein said virtual circuit identifier comprises a 
VPWCI identifier. 

35. (Original) The apparatus of claim 31 wherein said determining further comprises: 
means for issuing a tunnel ID request including said domain name and a virtual circuit 

identifier; and 
means for receiving a tunnel ED. 

36. (Original) The apparatus of claim 35 wherein an AAA server services said tunnel ID 
request. 



37. (Original) The apparatus of claim 35 wherein said virtual circuit identifier comprises a 
VPWCI identifier. 
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38. (Original) The apparatus of claim 31 wherein said determining further comprises: 
means for performing a table lookup based on a virtual circuit identifier to obtain an 

authorized domain list that includes authorized domains for said virtual circuit 
identifier; 

means for indicating said domain is unauthorized when said domain name is not in said 
authorized domain list; 

means for indicating said domain is authorized when said domain name is in said authorized 
domain list; and 

means for performing a table lookup based on said domain name to obtain a tunnel ID when 
said domain name is authorized. 

39. (Original) The apparatus of claim 38 wherein said virtual circuit identifier comprises a 
VPWCI identifier. 

40. (Original) An access server capable of forcing subscribers of a communications system to 
gain access exclusively to a domain network associated with a virtual circuit, said access 
server comprising: 

an authorized domain list request generator capable of generating an authorized domain list 
request including a virtual circuit identifier associated with a virtual circuit used to 
accept a PPP session authentication request, said PPP session authentication request 
including a domain identifier; 

an assessor capable of determining whether said domain identifier is in said domain list; 
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a tunnel TD request generator capable of generating a tunnel ID* request including said 
domain identifier; and 

an authorizer capable of granting users domain access based upon said authorized domain 
list. 

41. (Original) The access server of claim 40, further comprising: 

a first receiving interface capable of accepting said PPP session authentication request; 
a first forwarding interface capable of sending said authorized domain list request to an 
AAA server; 

a second receiving interface capable of accepting a requested authorized domain list; a 
second forwarding interface capable of sending said tunnel ID request to an AAA 
server; 

a third receiving interface capable of accepting a requested timnel ID; and 
a third forwarding interface capable of forwarding said PPP session on a tunneling session 
associated with said tunnel ID. 

(Original) The access server of claim 40 wherein said tunneling session comprises an L2TP 
session. 

(Original) The access server of claim 42 wherein said virtual circuit identifier comprises a 
Virtual Path Identifier (VPI) / Virtual Channel Identifier (VCI). 
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44. (Original) The access server of claim 43 wherein said first receiving interface comprises at 
least one access multiplexer, each access multiplexer having a plurality of inputs for 
receiving a service request, each of said inputs being associated with a particular subscriber 
virtual circuit. 

45. (Original) The access server of claim 41 wherein said AAA server and said access server 
communicate using the Remote Authorization Dial-In User Service (RADIUS) protocol. 

46. (Original) An access server capable of forcing subscribers of a communications system to 
gain access exclusively to a domain network associated with a virtual circuit, said access 
server comprising: 

a tunnel ID request generator capable of generating a tunnel ID request, said tunnel ID 
request including a virtual circuit identifier associated with a virtual circuit used to 
accept a PPP authentication request; and 

an authorizer capable of granting users domain access based upon a list of authorized 
domains for said virtual circuit. 

47. (Original) The access server of claim 46, further comprising: 

a first receiving interface capable of accepting said PPP session authentication request, said 

PPP session authentication request including a domain identifier; 
a first forwarding interface capable of sending said tunnel ED request to an AAA server; 
a second receiving interface capable of accepting a requested tunnel ID; and 
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a second forwarding interface capable of forwarding said PPP session on a tunneling session 
associated with said tunnel ID. 

48. (Original) The access server of claim 47 wherein said tunneling session comprises an L2TP 
session. 

49. (Original) The access server of claim 48 wherein said virtual circuit identifier comprises a 
Virtual Path Identifier (VPI) / Virtual Channel Identifier (VCI). 

50. (Original) The access server of claim 46 wherein said first receiving interface comprises at 
least one access multiplexer, each access multiplexer having a plurality of inputs for 
receiving a service request, each of said inputs being associated with a particular subscriber 
virtual circuit. 

5 1 . (Original) The access server of claim 47 wherein said AAA server and said access server 
communicate using the Remote Authorization Dial-In User Service (RADIUS) protocol. 

52. (Original) An access server capable of forcing subscribers of a communications system to 
gain access exclusively to a domain network associated with a virtual circuit, said access 
server comprising: 

a memory device capable of storing a domain list table and a tunnel ID table, said domain 
list table including a plurality of virtual circuit identifiers and associated domain 
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identifiers, said tunnel ID table including a plurality of domain names and associated 
tunnel IDs; 

an authorized domain list determiner capable of determining an authorized domain list based 
upon said domain list table and a domain identifier within a PPP authentication request, 
said PPP authentication request received on a virtual circuit having a virtual circuit 
identifier; 

an assessor capable of determining whether said domain identifier is in said domain list; 
a tunnel ID determiner capable of determining a tunnel ID based upon said tunnel ID table 

and said domain identifier; and 
an authorizer capable of granting subscribers domain access based upon said authorized 

domain list. 

53. (Previously Presented) The access server of claim 52, further comprising: 

a receiving interface capable of accepting said PPP session authentication request; and 
a forwarding interface capable of forwarding said PPP session on a tunneling session 
associated with said tunnel ID. 

54. (Original) The access server of claim 53 wherein said tunnehng session comprises an L2TP 
session. 

55. (Original) The access server of claim 54 wherein said virtual circuit identifier comprises a 

* 

Virtual Path Identifier (VPI) / Virtual Channel Identifier (VCI). 
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56. (Original) The access server of claim 52 wherein said first receiving interface comprises at 
least one access multiplexer, each access multiplexer having a plurality of inputs for 
receiving a service request, each of said inputs being associated with a particular subscriber 
virtual circuit. 

57. (Previously Presented) A method for controlling subscriber access in a network capable of 
establishing connections with a plurality of domains, comprising: 

receiving an L2TP session fi'om a subscriber using a first communication network coupled to 
at least one other communication network, said L2TP session optionally including a 
domain identifier associated with a domain on said at least one other communication 
network; 

determining whether said subscriber is authorized to access said domain based upon said 
domain identifier and a list of authorized domains for a virtual circuit used to receive 
said L2TP session, said determining comprising: 

issuing an authorized domain list request including a virtual circuit identifier; 
receiving an authorized domain list that includes authorized domains for said identifier; 
indicating said domain is unauthorized when said domain name is not in said domain 
Hst; 

indicating said domain is authorized when said domain name is in said domain list; 
issuing a tunnel ID request including said domain name when said domain name is 

authorized; 
receiving a tunnel ED; and 
assigning said tunnel ID; and 
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authorizing subscriber access to said domain when said domain identifier is included in said 
list, wherein said L2TP session is forwarded onto a tunnel associated with said tunnel 
ED when said subscriber is authorized to access said domain. 

58. (Previously Presented) The method of claim 57 wherein 

said authorized domain list request is serviced by an AAA server; and 
an AAA server services said tunnel ED request. 

59. (Previously Presented) The method of claim 57 wherein said virtual circuit identifier 
comprises a VPLVCI identifier. 

60. (Previously Presented) A method for controlling subscriber access in a network capable of 
establishing connections with a plurality of domains, comprising: 

receiving an L2TP session from a subscriber using a first communication network coupled to 
at least one other communication network, said L2TP session optionally including a 
domain identifier associated with a domain on said at least one other communication 
network; 

determining whether said subscriber is authorized to access said domain based upon said 
domain identifier and a list of authorized domains for a virtual circuit used to receive 
said L2TP session, said determining comprising: 

performing a table lookup based on a virtual circuit identifier to obtain an authorized 
domain list that includes authorized domains far said virtual circuit identifier; 

indicating said domain is unauthorized when said domain name is not in said authorized 
domain list; 
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indicating said domain is authorized when said domain name is in said authorized 
domain list; 

perforaiing a table lookup based on said domain name to obtain a tunnel ID when said 

domain name is authorized; and 

assigning said tunnel ID; and 
authorizing subscriber access to said domain when said domain identifier is included in said 
list, wherein said L2TP session is forwarded onto a tunnel associated with said tunnel 
ID when said subscriber is authorized to access said domain. 

61 . (Previously Presented) The method of claim 60 wherein said virtual circuit identifier 
comprises a VPI/VCI identifier. 

62. (Previously Presented) A program storage device readable by a machine, embodying a 
program of instructions executable by the machine to perform a method to control subscriber 
access in a network capable of establishing connections with a plurality of domains, the 
method comprising: 

receiving an L2TP session from a subscriber using a first communication network coupled to 
at least one other communication network, said L2TP session optionally including a 
domain identifier associated with a domain on said at least one other communication 
network; 

determining whether said subscriber is authorized to access said domain based upon said 
domain identifier and a list of authorized domains for a virtual circuit used to receive 
said L2TP session, said determining comprising: 

issuing an authorized domain list request including a virtual circuit identifier; 

Page 18 of 32 



CISCO-3096 (032590-0001 18) 
receiving an authorized domain list that includes authorized domains for said identifier; 
indicating said domain is unauthorized when said domain name is not in said domain 
hst; 

indicating said domain is authorized when said domain name is in said domain list; 
issuing a tunnel ID request including said domain name when said domain name is 

authorized; 
receiving a tunnel ED; and 
assigning said tunnel ED; and 
authorizing subscriber access to said domain when said domain identifier is included in said 
Ust, wherein said L2TP session is forwarded onto a tunnel associated with said turmel 
ID when said subscriber is authorized to access said domain. 

63. (Previously Presented) The program storage device of claim 62 wherein 
said authorized domain list request is serviced by an AAA server; and 
an AAA server services said tunnel ED request. 

64. (Previously Presented) The program storage device of claim 62 wherein said virtual circuit 
identifier comprises a VPWCI identifier. 

65. (Previously Presented) A program storage device readable by a machine, embodying a 
program of instructions executable by the machine to perform a method to control subscriber 
access in a network capable of establishing connections with a plurality of domains, the 
method comprising: 
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receiving an L2TP session from a subscriber using a first communication network coupled to 
at least one other communication network, said L2TP session optionally including a 
domain identifier associated with a domain on said at least one other communication 
network; 

determining whether said subscriber is authorized to access said domain based upon said 
domain identifier and a list of authorized domains for a virtual circuit used to receive 
said L2TP session, said determining comprising: 

performing a table lookup based on a virtual circuit identifier to obtain an authorized 
domain list that includes authorized domains far said virtual circuit identifier; 

indicating said domain is unauthorized when said domain name is not in said authorized 
domain list; 

indicating said domain is authorized when said domain name is in said authorized 
domain list; 

performing a table lookup based on said domain name to obtain a tunnel JD when said 

domain name is authorized; and 

assigning said tunnel ID; and 
authorizing subscriber access to said domain when said domain identifier is included in said 
list, wherein said L2TP session is forwarded onto a tunnel associated with said tunnel 
ID when said subscriber is authorized to access said domain. 

66. (Previously Presented) The program storage device of claim 65 wherein said virtual circuit 
identifier comprises a VPWCI identifier. 
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(Previously Presented) An apparatus for controlling subscriber access in a network capable 
of establishing connections with a plurality of domains, comprising: 

means for receiving an L2TP session from a subscriber using a first communication network 
coupled to at least one other communication network, said L2TP session optionally 
including a domain identifier associated with a domain on said at least one other 
communication network; 

means for determining whether said subscriber is authorized to access said domain based 
upon said domain identifier and a list of authorized domains for a virtual circuit used to 
receive said L2TP session, said means for determining comprising: 
means for issuing an authorized domain list request including a virtual circuit identifier; 
means for receiving an authorized domain list that includes authorized domains for said 
identifier; 

means for indicating said domain is unauthorized when said domain name is not in said 
domain list; 

means for indicating said domain is authorized when said domain name is in said 
domain list; 

means for issuing a timnel ID request including said domain name when said domain 

name is authorized; 
means for receiving a tunnel ID; and 
means for assigning said tunnel ID; and 
means for authorizing subscriber access to said domain when said domain identifier is 
included in said list, wherein said L2TP session is forwarded onto a tunnel associated 
with said tunnel ID when said subscriber is authorized to access said domain. 
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68. (Previously Presented) The apparatus of claim 67 wherein 

said authorized domain list request is serviced by an AAA server; and 
an AAA server services said tuimel ID request. 

69. (Previously Presented) The apparatus of claim 67 wherein said virtual circuit identifier 
comprises a VPI/VCI identifier. 

70. (Previously Presented) An apparatus for controlling subscriber access in a network capable 
of establishing connections with a plurality of domains, comprising: 

means for receiving an L2TP session fi-om a subscriber using a first communication network 
coupled to at least one other communication network, said L2TP session optionally 
including a domain identifier associated with a domain on said at least one other 
communication network; 

means for determining whether said subscriber is authorized to access said domain based 
upon said domain identifier and a list of authorized domains for a virtual circuit used to 
receive said L2TP session, said means for determining comprising: 
means for performing a table lookup based on a virtual circuit identifier to obtain an 
authorized domain list that includes authorized domains far said virtual circuit 
identifier; 

means for indicating said domain is unauthorized when said domain name is not in said 

authorized domain list; 
means for indicating said domain is authorized when said domain name is in said 

authorized domain list; 
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means for performing a table lookup based on said domain name to obtain a tunnel ID 
when said domain name is authorized; and 
assigning said tunnel ID; and 
means for authorizing subscriber access to said domain when said domain identifier is 
included in said list, wherein said L2TP session is forwarded onto a tunnel associated 
with said tunnel ID when said subscriber is authorized to access said domain. 

(Previously Presented) The apparatus of claim 70 wherein said virtual circuit identifier 
comprises a VPWCI identifier. 
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